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Abstract 

Recent results have shown the usefulness of tamper-proof hardware tokens as a setup 
assumption for building UC-secure two-party computation protocols, thus providing broad 
security guarantees and allowing the use of such protocols as buildings blocks in the modular 
design of complex cryptography protocols. All these works have in common that they assume 
the tokens to be completely isolated from their creator, but this is a strong assumption. In 
this work we investigate the feasibility of cryptographic protocols in the setting where the 
isolation of the hardware token is weakened. 

We consider two cases: (1) the token can relay messages to its creator, or (2) the creator 
can send messages to the token after it is sent to the receiver. We provide a detailed char¬ 
acterization for both settings, presenting both impossibilities and information-theoretically 
secure solutions. 

Keywords: Hardware Tokens, Isolation Assumption, UC security, One-Time Memory, 
Oblivious Transfer. 


1 Introduction 


Tamper-proof hardware tokens are a valuable resource for designing cryptographic protocols. 
It was shown in a series of recent papers that tamper-proof hardware tokens can be used as a 
cryptographic setup assumption to obtain Universally Composable (UC) [5] secure two-party 
computation protocols [201 [221 [ig dzi IS], thus achieving solutions that are secure according 
to one of the most stringent cryptographic models and can be used as buildings blocks in the 
modular design of complex cryptography protocols. Bottling et al. m showed that even a single 
tamper-proof hardware token generated by one of the mutually distrusting parties is enough to 
obtain information-theoretical security in the UC framework. 

All these works have in common that the tokens are assumed to be completely isolated 
from their creator. In light of recent events this assumption becomes questionable at the least, 
apart from the fact that the tokens could contain internal clocks, which can be exploited in 
conjunction with the activation time to send information into the device (or to make the abort 
behavior dependent on the activation time, which is not modeled in the UC framework). We 
highlight that this problem lies skew to leakage and side-channel attacks, e.g. ElES], where 
a malicious token receiver tries to extract some of the contents of the token, i.e. the tamper- 
resilience assumption is weakened. In contrast, we consider a weakened isolation assumption. 
A similar scenario was studied by Damgard et al. m, but only for a bandwidth-restricted 
channel and computational security. They showed that a partial physical separation of parties, 
e.g. in a token with a low-bandwidth covert channel, allows to perform UC-secure multiparty 
computation under standard cryptographic assumptions. 

We consider an unrestrieted channel and information-theoretical security. In this scenario, 
communication in both directions between the token and its creator without any restriction 
obviously renders the token useless as a setup assumption. Thus, there remain two different 
kinds of communication that can be considered to weaken the isolation assumption: either the 
tokens’ creator can send messages to the tokens, or the tokens can send messages to their creator. 
While we deem the first case to be more realistic, we consider both cases. We emphasize that 
these one-way channels are available only for malicious parties and thus are not used by the 
honest parties during the protocol execution. This scenario is not directly comparable with the 
one by Damgard et al. m, since here a broadband communication channel is available, but it 
is only one-way. This leads to the following question: 

Is it possible to obtain UC-seeure protoeols even if there exists a broadband one-way 
eommunication ehannel between the tokens and their creator? 

In this work, we provide a broad characterization from a feasibility standpoint for both 
malicious incoming and outgoing communication between the tokens and their creator. For our 
solutions, we only require that one party can create hardware tokens. We thus call this party 
Goliath, while the receiver of the token is called David and cannot create tokens of its own. 

In more detail, we show that with one-way channels into the tokens, it is possible to basically 
use the One-Time Memory (OTM) protocol using two tokens of Bottling et al. [13] to obtain 
an information-theoretically UC-secure OTM with aborts (i.e., a malicious token creator can 
change the abort behavior of the token at runtime, which is unavoidable if one-way channels 
into the tokens are available) and we also provide a computationally UC-secure OTM protocol 
from a single token. Additionally, it is possible to obtain information-theoretically UC-secure 
Oblivious Transfer (OT) from a single hardware token. We prove an impossibility result for 
unconditionally secure OTM with a single token. 
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Concerning one-way channels from the tokens to their creator, we show that it is impossible 
to obtain even information-theoretically secure OT. We provide an information-theoretically 
UC-secure commitment scheme, which can then be used to obtain a computationally UC-secure 
OTM protocol with known techniques [25]. 

Further related work. Apart from the model of tamper-proof hardware as formalized 
by Katz [2D|, also weaker models such as resettable hardware tokens were proposed, e.g. [T5] . 
With resettable hardware, it is not possible to obtain information-theoretically secure oblivi¬ 
ous transfer while commitments are still possible nil ng. Thus, the main focus of this 
research direction are efficient protocols based on computational assumptions while minimizing 
the amount of communication and tokens la ESI 1211 miiiiiH]. Further results about hardware 
tokens can be founded in [ziEiEKiaiiaii]. 

Another UC hardware setup assumption are physically uncloneable functions (PUFs) |24l 
SIES], which have recently gained increasing interest. It was shown that PUFs can be used to 
achieve oblivious transfer m and UC-secure commitments [T2|. However, if the PUFs can be 
created maliciously, oblivious transfer is impossible [10] . 

2 Preliminaries 

2.1 Notation 

We use standard information-theoretic measures: by H{-) we denote Shannon entropy, 
denotes conditional entropy and /(•;•) denotes the mutual information. Let in the following A 
denote a security parameter. We use the cryptographic standard notions of negligible functions, 
as well as computational/statistical/perfect indistinguishability. 

2.2 Model 

We state and prove our results in the Universal Composability (UC) framework of Canetti |5] 
that allows for arbitrary composition of protocols. In this framework an ideal functionality 
T that captures the desired security requirements has to be modeled. A protocol H that is 
supposed to instantiate J- runs in the real world, where an adversary A can corrupt protocol 
parties. To prove the UC-security of H, it has to be shown that there exists a simulator S that 
only interacts with the ideal functionality and simulates the behavior of any A in such a way 
that any environment Z that is plugged either into the real protocol or the simulated protocol 
cannot distinguish the real protocol run of H from a simulated oneJi] For our results we assume 
static corruption, i.e. the adversary cannot adaptively corrupt protocol parties. 

Target Functionalities. Ideally one would like to use tamper-proof hardware tokens to realize 
One-Time Memory (OTM) [T6|, as in the case where the token is modeled as being completely 
isolated from its creator m- See Figured] for the OTM functionality definition. This primitive 
resembles oblivious transfer, but the receiver can make his choice at any point in time and the 
sender is not notified about this event. OTM allows to build One-Time Programs |16[I18| . 

Impossibility of Realizing OTMs. Note that in the hybrid execution with a token and a 
channel into the token, a dishonest sender Q has the ability to send an abortion message to T at 
any time, thus changing its abort behavior. In the ideal execution on the other hand, once the 
OTM functionality goes to the ready state, it is not possible to change its output/abort behavior 

^In the case of computational security we allow the simulator to be expected polynomial time. 
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Functionality 

Parametrized by a security parameter A. The variable Fstate is initialized with wait. 

Creation. Upon receiving a message (create, sid, Q,!), sq, si) from Q verify if Fgtate = wait and so,si S 
{0,1}^; else abort. Next, set Fstate ^ sent, store (sid, X>, sq, si) and send the message (created, sid, 
Q, V) to the adversary. 

Deliver. Upon receiving a message (deliver, sid, QjV) from the adversary, verify that Fstate = sent; else 
abort. Next, set Fstate ready, and send (ready, sid, Q^T>) to V. 

Choice. Upon receiving a message (choice, sid, Q,V,c) from V check if Fstate = ready; else abort. Next, 
set Fstate t— dead and send (output, sid, Q,T>,Sc) to T>. 


Figure 1: The One-Time Memory functionality. 


anymore. Therefore it is not possible to realize the OTM functionality based on tokens that can 
receive communication from a malicious Q. 


OTM with Abort. Given the above fact that online changes in the abort behavior are 
inherent in the setting with one-way communication into the token, we introduce an OTM 
functionality with abort, see Figure [2l For such a functionality, there is an initial delivering 
phase after which the adversary can only let the execution proceed correctly or switch off the 
functionality whenever he wants (independent of David inputs); but he cannot change the values 
stored in the functionality. 


3 The Case of Incoming Communication 

We first show that the existing solution of Bottling, Kraschewski and Miiller-Quade [13] for 
OTM with 2 tokens can be modified to UC-realize OTM with abort. Then we show that using 
a single token, it is impossible to obtain an information-theoretically secure OTM protocol, if 
Goliath can send messages to the token. We sketch how a information-theoretically UG-secure 
OT protocol from a single token can be obtained and give a construction of a compuationally 
UG-secure OTM protocol from a single hardware token. 

The formalization of the ideal functionality for stateful tamper-proof hardware tokens in 
this section uses a wrapper functionality as in the previous works |20l Ea [I3], but as one-way 
communication from the token issuer to the token is now allowed, the wrapper functionality 
needs to be modified to capture this fact. A sender Q (Goliath) provides as input to T^*(ap-owc 
a deterministic Turing machine T (the token). Note that stateful tokens can be hard-coded 
with sufficiently long randomness tapes. The receiver T? (David) can query to run 

T with inputs of his choice and receives the output produced by the token. The current state 
of T is stored between consecutive queries. In addition, and in order to capture the one-way 
communication property, we add the possibility of Goliath sending messages to the token, in 
which case T is run on the received string and changes to a new state. The complete description 
of the functionality is shown in Figure [S] This model captures the fact that on the one hand 
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Functionality j-OTM-with-Abort 

Parametrized by a security parameter A. The variable Estate is initialized with wait and Fabort with T. 
If any message other than (switch on, sid, QyV) is received while Fabort = T, the functionality aborts. 

Creation. Upon receiving a message (create, sid, 17,2?, so,si) from Q verify if Estate = wait and so,si G 
{0,1}^; else abort. Next, set Estate ^ sent, store (sid, (y, 2?, sq, si) and send the message (created, sid, 
G, 2?) to the adversary. 

Overwrite. Upon receiving a message (overwrite, sid, G,'D,Sq,s'i) from A verify if Estate = sent and 
Sq, s'l € {0,1}^; else abort. Set sq Sq ! ■Si ^ ■Si- 

Deliver. Upon receiving a message (deliver, sid, 17,2?) from the adversary, verify that Estate = sent; else 
abort. Next, set Estate ^ ready, and send (ready, sid, G,V) to 2?. 

Choice. Upon receiving a message (choice, sid, G,E>,c) from 2? check if Estate = ready; else abort. Next, 
set Estate ^ dead and send (output, sid, 17,2?, Sc) to 2?. 

Switch Off. Upon receiving a message (switch off, sid, 17,2?) from A set Fabort -L. 

Switch On. Upon receiving a message (switch on, sid, 17,2?) from A^ set Fabort •<— T. 


Figure 2: The One-Time Memory with Abort functionality. 


the token cannot send messages to its creator, and on the other hand David cannot access the 
code or the internal state of T. 

3.1 Unconditionally Secure OTM with Two Tokens 

Our solution is to use the non-interactive version of the protocol due to Bottling, Kraschewski 
and Miiller-Quade |13] . The only function of Goliath in this protocol is creating the two tokens 
and sending them to David. David, on the other hand, interacts with both tokens in order 
to obtain his output and to check the correctness of the protocol execution. Intuitively, one 
of the tokens is used to generate a commitment to the input values and to send the input 
values encrypted using one-time pads. The second token only contains a random affine function 
which can be evaluated only a single time and allows David to recover the one-time pad key 
corresponding to one of the inputs. The specifications of the tokens can be found in Figure [Hand 
Figure [5j In the protocol David initially interacts with the token which has the inputs in order 
to obtain the commitments and the ciphertexts. After this point David considers the OTM as 
delivered. Then, whenever he wants to choose the input to be received, he simply queries the 
token that has the affine function on the appropriate input and obtains the one-time pad that 
he needs in order to recover his desired value. The description of the protocol is presented in 
Figure [H 

The fact that the protocol securely realizes jrOTM-with-Abort fQiiQ.^g from a straightforward 
modification of the original security proof by Bottling et al. m, which considered the same 
protocol but with isolated tokens and proved that it realizes (pg^^ without aborts) in such 

scenario. 
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Functionality J^jfap-o^c 

Parametrized by a security parameter A and a polynomial upper bound on the runtime t(-). The variable 
Fstate is initialized with wait. 

Creation. Upon receiving a message (create, sid, Q,'D,T) from Q where 7” is a deterministic Turing 
machine, verify if Fstate = wait; else ignore the input. Next, store (sid, Q, V, T^Tstate) where Tgtate is the 
initial state of T, set Fstate sent and send the message (created, sid, Q^V) to the adversary. 

Deliver. Upon receiving a message (deliver, sid, Q^V) from the adversary, verify that Fstate = sent; else 
ignore the input. Next, set Fstate ready, and send (ready, sid, G,F>) to V. 

Execution. Upon receiving a message (execute, sid, Q,'D,x) from V where x is an input, check if 
Fstate = ready and if it is, then run T(Tstate, x) for at most t{X) steps. Save the new state of T in Tgtate, 
read the output y from its output tape and send (output, sid, G,T>,y) to V. 

Incoming Communication. Upon receiving a message (communication, sid, Q,V,m) from A, run 
TiTstatejin) for at most t{X) steps. Save the new state of T- 


Figure 3: The wrapper functionality allowing one-way communication. 


Token - Random Values TRandom 

Parametrized by a security parameter A. The token is hardwired with a random vector a -e- and a 
random matrix B A It is initialized with state Tstate = ready. 

Output. Upon receiving a message (choice, z) from V check if Tgtate = ready; else abort. Next, set 
Tstate ^ dead, compute V •(— a ® B and send the message (output, V) to V. 


Figure 4: The first token, which only contains random values. 


Theorem 3.1 In the model where a malicious Goliath is allowed to send messages to the token, 
the protocol presented in Figurel^ UC-realizes the functionality jzOTM-with-Abort statistical 

security against a corrupted Goliath and perfect security against a corrupted David. 

Proof: (Sketch) The correctness as well as the security against a corrupted David follow di¬ 
rectly from Dottling’s et al. proof of security. In the case of the security against a corrupted 
Goliath, note that the OTM is considered delivered at the point in which David has received 
{G,d,B,so,si) from Tinputs- From that point on, Tinputs does not participate in the protocol 
anymore and it cannot send messages to the outside world. Hence neither Goliath nor TRandom 
know the matrix C which is used for the commitments, so they can cheat in the commitment’s 
opening phase only with negligible probability. Both of them also do not know the value h, 
which is necessary together with z in order to determine David’s input x. So the proof proceeds 
as in [13], the only difference here is that Goliath can still send messages to TRandom at any 
point, and thus he can modify the abort behavior. This can be dealt with by running Dottling’s 
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Token - Inputs Tinputs 

Parametrized by a security parameter A. The token is initialized with Goliath’s inputs so,si, and the 
vector a and matrix B that are used by TRandom- It is initialized in state Tstate = ready. 

Matrix Choice. Upon receiving a message (matrix choice, C) from V check if Tstate = ready and 
C S else abort. Next, compute a matrix G S that is complementary to C (i.e., G is 

determined by A vectors of length 2A which are linearly independent and G spans a subspace of the 
kernel of C), and also compute a ■(— Ca, B •<— GB. Set Tstate ^ committed and send the message 
(commitment, G,a,B) to V. 

Ciphertexts. Upon receiving a message (vector choice, h) from V check if Tstate = committed and 
h € ¥ 2 ^ \ {0}; else abort. Next, compute sb -<—50 + GBh and si -<—51+ GBh + Go, set Tstate t— dead 
and send the message (output, sb> s~i) to V. 


Figure 5: The second token, which stores Goliath’s inputs. 

et al. procedure to verify whether the token is going to abort or not (i.e., running a copy of the 
token in its current state with random inputs) after each incoming message from Goliath to the 
token. If the simulator notices that the abort behavior changed, he can make the appropriate 
change in jcOTM-with-Abort Switch Off/Switch On commands. | 


Sequential OTM with Abort. As done by Bottling et al. m for the OTM functionality, it 
is also possible to define a sequential version of the OTM-with-Abort functionality where there 
are many pairs of Goliath’s inputs (i.e., there are multiple stages) which can only be queried 
sequentially by David. The functionality only needs to be modified to take pairs of inputs 
which can be queried sequentially by David and to allow an adversary to specify which stages 
are active/inactive at any time (if an inactive stage is queried by David, then the functionality 
aborts). In this case the two token solution of Bottling et al. [13j for sequential OTMs can be 
used. The security proof would be a straightforward modification of Bottling et al.’s proof in 
the same line as done above. 

3.2 Impossibility of Unconditionally Secnre OTM from a Single Token 

Lemma 3.2 Assume that there is only one token and that a malicious token is not computa¬ 
tionally bounded. If a malicious Goliath is allowed to send messages to the token, then there is 
no protocol 11 that realizes OTM with information-theoretic security from this single token. 

Proof: For the sake of contradiction assume that a correct and information-theoretically secure 
OTM protocol 11 from a single stateful token exists. Assume that the parties’ inputs are chosen 
as So, Si ^ {0,1}^ and c A {0,1}. The sender’s privacy of the OTM protocol should hold, i.e. 

/(viewx); si_c) < e <G- H{si-c) - H{si-c\\/'\ewT>) < e 

i?(si_c|view25) > A — e, 

where viewx) is David’s view of the protocol execution and e is a function that is negligible in 
the security parameter. 
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Protocol 

Parametrized by a security parameter A. 

Deliver. T) waits until Q send the tokens TRandom and Tinputs- Then he chooses a random matrix 
C S and sends the message (matrix choice, C) to Tinputs in order to get the answer (commitment, 

G,d,B). After that, V picks a random vector h G \ {0} and sends the message (vector choice, h) to 
Tinputs in order to get the output (output, so,ii)- 

Choice Phase. When V gets his input c G F 2 , he chooses 2 : A F|^ such that z'^h = c and sends the 
message (choice, z) to TRandom to get the output (output, V). Then V checks if CV = dz'^ + B. If it is 
not, aborts; otherwise, he outputs Sc = Sc + GVh. 


Figure 6: The unconditionally secure protocol that realizes jcOTM-with Abort 


By definition of the OTM functionality David can choose his input c at any time after he receives 
the token and Goliath should not learn when David queried the OTM functionality. So David 
can choose his input c at a point in the future far after receiving the token, when all initial 
communication between the parties is already finished, and then he interacts with the token to 
receive Sc- But then, at the moment right before David’s choice c is made, its entropy is still 
1 from the point of view of all parties. Therefore, due to the sender’s privacy, at this point it 
should hold that 

iT(so I viewp) > A — e 


and 


H (si I viewp) > A — e. 


where view^ is David’s view of the protocol execution until this point. But if a malicious 
Goliath is allowed to send messages to the token, he can forward his complete view to the token. 
The token then gets to know all protocol interactions so far and due to the correctness of the 
OTM protocol (i.e., it should work for any pair of inputs in {0,1}^) he is able, for almost any 
Sc £ {0,1}^, to find a strategy to follow for the rest of the protocol that makes David accept s^. 
Hence the values sq and si are not fixed up to the point when David inputs c. But in the OTM 
functionality the values sq and si are hxed once it is sent, and thus we get a contradiction. | 


3.3 Unconditionally Secnre OT with a Single Token 

Dottling et al. |13] also presented an unconditionally secure solution with one token only, in 
which the interactions which are performed between David and Tinputs in the previously described 
protocol are instead performed between David and Goliath in an initial interactive phase that 
is used to send the commitments and the ciphertexts. Note that such a version of the protocol 
would not be secure in the setting where one-way communication is allowed into the token since 
Goliath could simply forward the matrix C to TRandom; which would then be able to open the 
commitments to any value and thus be able to change the outputs at any time. But we should 
mention that it is possible to obtain an oblivious transfer protocol with only one token by letting 
the single token act like Tinputs in the above protocol and letting the interactions between David 
and TRandom be replaced by identical interactions between David and Goliath. The proof of 
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Token T 

Parametrized by a security parameter A. The token is hardwired with the shares (fi.Oi Vi^i) for z = 1,..., A, 
the inputs so,si and Goliath’s public key pk. It is initialized with state Tgtate = ready and j = 0. 

Message Commitment. Upon receiving a message (challenge, kj) from V check if Tgtate = ready and 
kj is a bit; else abort Set j ■(— j + 1- If j = A, then set Tgtate message committed. Send the message 
(message commitment, Vj^kj) to V. 

Inputs Commitment. Upon receiving a message (commit, crs,CT) from V check if Tgtate = 
message committed and if cr is a valid signature of G on crs; else abort. Set Tgtate ^ inputs committed. 
Commit to the values sq, si using a computationally UC-secure commitment protocol that uses the com¬ 
mon reference string crs and send the commitments to Let dQ,di denote the information to open the 
commitments. 

Output. Upon receiving the message output from V check if Tgtate = inputs committed; else abort. Next, 
set Tstate ^ dead and execute with T) a computationally UC-secure oblivious transfer protocol using the 
common reference string crs and with inputs (sqIMoi si IMi). 


Figure 7: The token for a computationally secure OTM protocol with a single token. 


security would follow in the same line as before since Goliath would never get to know C and h. 
Note that the drawback of having to know the OT inputs before sending the token can be easily 
overcome by performing the OTs with random inputs and derandomizing them afterwards. 

3.4 Computationally Secure OTM from a Single Token 

If one considers the scenario where only one token is available, it is possible to obtain a protocol 
that realizes jcOTM-with-Abort computational security. The idea is to compute as an initial 
step (i.e. during the delivery phase) the commitment functionality by using the token and inter¬ 
actions between Goliath and David. With access to this commitment functionality it is possible 
to obtain a common reference string between David and the tokerU, which in turn allows to 
run a computationally secure UG-commitment protocol between them in order to commit to 
the input values. After receiving from the token the commitments to the input values, David 
considers the delivery complete, and whenever he wants to get his output he just executes an 
oblivious transfer protocol with the token with his desired choice bit as input. He checks the 
correctness of the output using the commitment. The crucial point for the simulation to go 
through is that the simulator should be able to extract the first commitment before its opening, 
so that he can choose the common reference string as he wishes. In order to accomplish that 
in face of a potentially malicious token which possibly only correctly answers queries to certain 
values, we will commit to a message m by using A pairs of random shares where for 

each pair Vi^Q -|- Ujq = m. During the committing phase, P interacts with the token and can 
choose to receive either Vi^o or for each pair. To open the commitment, G reveals all the 
shares. The specification of the token can be found in Figure [7] and of the protocol in Figure [8j 

^The common reference string is actually obtained by Goliath and David, but can be forwarded from Goliath 
to the token via David by using a digital signature to ensure that the value that the token obtains is exactly the 
same one that Goliath sent. 




Protocol 

Parametrized by a security parameter A. 

Deliver. Q generates a pair of signing sk and public pk keys for a signature scheme. Then he picks 
a random message m' 4- F 2 and random vectors Vi^ 4- F 2 for i = 1, ..., A and sets Vi^i = m' — Vi^. 
He creates the token T (described in Figure[7]) with the hardwired vectors Sq, si and pk, and 

sends it to T). Upon receiving the token T, V queries it with random bits ki for i = 1,..., A in order to 
get Vi^ki- picks a random message m” -e- F 2 and sends it to Q. Then Q opens the commitment to m! 
by sending all the shares (vi^, Vi^i) to T). V checks if m' = Vi^o + I'i.i for all* = 1, ..., A, aborting the 
protocol if this is not the case. Both and I? use m = m' + m" to generate a common reference string 
crs. Q signs crs with his signing key sk and sends the signature cr to V sends crs and cr to T in order 
to receive the commitments to sq and si. 

Choice Phase. When V gets his input c € F 2 , he sends the message output to T and executes a 
computationally UC-secure oblivious transfer protocol with the token using the common reference string 
crs and with input c in order to get the output Sc||dc, where || denotes concatenation. V checks the 
correctness of Sc using the commitment that he received previously and the opening information dc- 


Figure 8 : The computationally secure OTM protocol using one token. 


Theorem 3.3 In the model where a malicious Goliath is allowed to send messages to the token, 
the protocol presented in Figure\^ UC-realizes the functionality jzOTM-with-Abort computa¬ 
tional security. 

Proof: The correctness of the protocol can be trivially verified. The simulation for the cases 
that both parties are corrupted or no parties are corrupted are trivial. We describe below how 
the simulation proceeds in the other cases. 


Corrupted Sender: If Goliath is corrupted (and thus also the token), the simulator will 
simulate an interaction of the protocol with the adversary and has to extract both sq aiid si 
from this interaction in order to give them as input for the OTM functionality. The main reason 
to do this is that the simulator should be able to extract the value m' before sending m" , so 
that he can choose the common reference string crs as he wishes, thus being able to create a 
trapdoor to extract sq and si from the committed values. 

We have that only Goliath can program the token, so the environment machine will provide 
the code to Goliath (and hence to the simulator). To extract the value m' the simulator does 
the following. When the commitment step happens, whenever David sends a valid message 
(challenge, kj) to receive a share the simulator first executes the token with the input 

1 — kj, obtaining an answer , and then resets the token to the point before this query and 

executes the token with input kj to obtain Vj^kj and forward it to David. Let rh’- = Vj^ + hyi. 
After all the A challenges are done, the simulator fixes rh' as the value that appeared more often 
in the tuple {rh'i, ..., Ih'^. He then chooses m” = m — rh' for any m he wants. Lets now analyze 
this extraction procedure. Let {vjfi,Vj^i) denote the values that Goliath reveals in the opening 
phase. Note that the protocol will be aborted unless Vj^Q + Vj^i = fh’ for all j and some fixed 
message m' . For any j, if vjfl 7 ^ Vj^ and hyi 7 ^ Vj^i then the protocol will be aborted anyway 
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and we do not need to worry about the extracted value. If for the majority of the j's it holds 
that Vjfl = Vjfl and Vj^i = Vj^i, then rh! = m' and thus the extraction procedure works properly. 
The remaining case is the one in which at least half of the j’s are such that either Vj^Q = Vj^ 
or Vj^i = Vj^i, but not both equalities hold. For each such j the probability that the opening 
check succeeds for this pair of vectors is 1/2 since Goliath cannot get any information from the 
token. Therefore if half or more of the j’s are in this condition, the protocol will abort with 
overwhelming probability in the security parameter A. 

Given that the extraction worked properly, the simulator can create the common reference string 
as he wishes and so he is able to have a trapdoor to extract the values sq and si from the com¬ 
mitments and give them as input to the OTM functionality. To learn the abort behavior, the 
simulator simulates, at onset and also after each incoming message from Goliath to the token, 
a choice phase execution between David and the token. The simulator can then use the Switch 
Off/Switch On commands to adapt jrOTM-with- Abort )g abort behavior properly. 


Corrupted Receiver: If David is corrupted, the simulator gets to know all David’s challenges 
kj in the first commitment. Hence, after seeing m" , he can choose any m' he wants (and thus 
any resulting m and crs) and appropriate shares that are correct from David’s point 

of view. By picking a common reference string together with an appropriate trapdoor, the 
simulator can learn the choice bit c and query it to the functionality jrOTM-with-Abort learn Sc- 
Using the equivocability of the UG-commitment the simulator can find an appropriate opening 
information dc and feed Sc\\dc to David in the OT protocol. | 

Note that the above protocol can be trivially extended to the case of sequential OTMs. 


4 The Case of Outgoing Communication 

In the complementary problem, we consider tokens which have a one-way channel that allow 
them to send messages to Goliath, but which cannot receive any information from Goliath. In 
this scenario we would like to implement Note that in this case Goliath cannot control 

online the abort behavior of the token. We first show an impossibility result for unconditionally 
secure protocols and then present a computationally secure protocol using a single token. 

4.1 Impossibility of Information-Theoretically Secure OT(M) 

Lemma 4.1 If the tokens can send messages to Goliath, then there is no protocol H that realizes 
OTM, or even oblivious transfer, with information-theoretic security. 


Proof: (Sketch) The basic idea is that the malicious tokens send their complete view to Goliath 
after each interaction with David. Thus, independently of whether Goliath or some token receive 
the last protocol message, the combined view of Goliath and the tokens is available to a malicious 
Goliath. This directly implies that an OT protocol with information-theoretical security is not 
possible, because the whole model collapses to the two-party case in the stand-alone setting. 
Either the complete transcript of the exchanged messages (which is available to a malicious 
Goliath) uniquely determines the choice-bit c of David or a malicious David can obtain both 
input bits (sq; si); and in both cases the oblivious transfer security is broken. | 
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Token T 

Parametrized by a security parameter A. The token is hardwired with the shares for 

i = 1,..., 2A, n = 1,..., A and an opening key cok € {0,1}^. It is initialized with state Tstate = ready. 

Shares Opening. Upon receiving a message (challenge, ni,..., n;,/ 2 ) from V check if Tgtate = ready and 
{ni,..., nx/ 2 } C {1,..., A} are the specifications of the shares V wants to be revealed; else abort. Set 
Tstate ^ message committed. Send the message (shares opening, (u„j,i,o,r'nj,i,i)j=i,...,A/ 2 ,i=i,..., 2 A) to V. 

Message Opening. Upon receiving a message (reveal message, cok) from V check if Tstate = 
message committed and cok = cok; else abort. Set Tstate ^ message opened. Send the message (opening, 

(r^n,z,0; )n—1,..., A,i—1 ,.. .,2a) tO T). 


Figure 9: The token for the commitment protocol with outgoing communication. 


We remark that the crucial point here is that for oblivious transfer, it does not matter 
at which time Goliath gets the complete view, i.e. it does not matter whether some token or 
Goliath receive the last message. As soon as he learns the choice bit, the protocol is broken. This 
argumentation, however, does not rule out information-theoretically UC-secure commitments. 

4.2 Unconditionally Secnre Commitment with a Single Token 

The idea here is to commit to a message m by using pairs of random shares (uj^oWhi) such 
that for each pair Vi^ + Ujp = m, the shares are known to both the token and Goliath. The 
commitment phase is done by interactions between David and Goliath, where for each pair 
David can choose to receive either Vi^ or Ujp. In order to guarantee the binding property, 
the opening phase is executed between David and the token: David receives an opening key 
from Goliath and forwards it to the token, who checks it and reveals all the shares to David. 
To guarantee that on the one hand David cannot guess the opening key correctly (and thus 
open the commitment whenever he wants), but on the other hand the opening key does not 
contain enough information to allow the token to learn David’s choices during the commitment 
phase (and thus successfully open the commitment to any value), we have opening keys that are 
random A-bit strings and we use 2A pairs of random shares. This commitment scheme is secure, 
but not yet extractable. In order to get extractability, instead of committing to the message 
itself, we first use the (A, A/2 + 1)-Shamir’s secret share scheme to create A shares (mi,..., my) 
of the message, then commit to each share using the above scheme (in the opening phase a 
single opening key of A-bits is given to the token in order to open all the commitments), but we 
additionally make David ask the token to open A/2 shares m^i, • • • '>^nx /2 (without sending the 
opening key) already in the commitment phase, which do not reveal any information about m. 
The specification of the token can be found in Figure [9] and of the protocol in Figure fTOl 

Theorem 4.2 In the model where malicious tokens are allowed to send messages to Goliath, 
the protoeol presented in Figure \7U UC-realizes the eommitment functionality with un¬ 

conditional security. 

The proof is in Appendix lAl 
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Commitment Protocol 

Parametrized by a security parameter A. 

Commitment Phase. Q generates an opening key cok 4- F^. Then he generates A shares {mi,..., m\) 
of the message m using Shamir’s secret sharing scheme. For each share m„, Q picks random vectors 
Vn,i,o A F 2 for i = 1,..., 2A and sets Vn,i,i = — Vn,i,o- He creates the token T (described in FigurelHl) 

with the hardwired cok and vectors {vn,i,o, Vn,i,i) for n = 1,..., A, i = 1,..., 2A, and sends it to T). Upon 
receiving the token T, T> queries Q with random bits kn^i for n = 1,... ,X,i = 1,..., 2A in order to 
get Vn,i,kn,i- Then V picks a random subset {ni,..., nx/ 2 } C {1, ■ ■ ■, A} and asks the token to reveal 
(i’ni,i,o, for j = 1,..., A/2 ,1 = 1,..., 2A, which he checks against the information he received from 

G', aborting if they do not match. 

Opening Phase. G sends to V the message shares (rui,..., m\) and also the commitment opening key 
cok, which V forwards to T in order to get all the shares {vn,i,o,Vn,i,i)- TX checks if m„ = Vn,i,Q + Vn,i,i 
for all i and n, aborting the protocol if this is not the case. Then he reconstructs m from the shares; 
aborting if m is not uniquely determined by the shares. 


Figure 10: The unconditionally secure commitment protocol using one token for the case of 
outgoing communication. 

4.3 Computationally Secure OTM with a Single Token 

For the case of computational security, it is possible to obtain an OTM protocol which uses only 
one token. The approach is briefly described below. Using the ideas from the previous section 
the parties can compute the commitment functionality, which can then be used to establish 
a common reference string between David and the token. The common reference string in 
turn can be used to run computationally UC-secure commitments and OT protocols between 
the token and David. The token commits to the input values using the computationally UC- 
secure commitment protocol, at which point David considers the deliver complete. Afterwards, 
whenever David wants to obtain his output, he engages in a computationally UC-secure OT 
protocol with the token in order to get the desired output and the commitment verification 
information. 

Theorem 4.3 In the model where malicious tokens are allowed to send messages to Goliath, 
there is a protocol using a single token which UC-realizes the functionality with compu¬ 

tational security. 

The description of the token and the protocol, as well as the security proof can be found in 
Appendix [Bl 


5 Conclusion 

In this work we investigated a weaker isolation model for tamper-proof hardware, namely one¬ 
way (broadband) communication channels are allowed either for the token creator to the tokens 
or in the opposite direction. In the case that the tokens can receive incoming communication 
from their creators we showed the following: (1) there is an unconditionally secure One-Time 
Memory (OTM) protocol using two tokens, (2) it is impossible to realize OTM with unconditional 
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security from a single token, (3) there is an unconditionally secure oblivious transfer protocol 
using a single token, (4) there is a computationally secure OTM protocol using a single token. 
In the case that the tokens can send outgoing communication to their creator we showed the 
following: (1) it is impossible to realize OTM or oblivious transfer with unconditional security, 

(2) there is an unconditionally secure commitment protocol using a single token, (3) there is a 
computationally secure OTM protocol using a single token. 
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A Proof of Theorem 14.2 

Proof: The correctness of the protocol is trivial, as well as the simulation for the cases that 

both parties are corrupted or no parties are corrupted. We describe below how the simulation 

proceeds in the other cases. 


Corrupted Sender: We have that only Goliath can program the token, so the environment 
machine will provide the code to Goliath (and hence to the simulator). To extract the value m 
the simulator does the following when David asks the token to open A/2 shares mm, ■ ■ ■ iT^nx /2 
of m during the commitment step. Let Qq denote the subset that David chose to be opened. 
First note that given the token’s answer to any opening query and the commitment information 
received during the interaction with Goliath, it is possible to distinguish with overwhelming 
probability if the token opened the shares correctly or not. So the simulator first tests if the 
query Qq was answered correctly by the token. If Qq is not answered correctly by the token, 
we do not need to worry about the extraction since the protocol will be aborted anyway. If it 
was answered correctly, the simulator also runs internally other executions of this procedure for 
opening half of the shares, in each of them asking a random subset Qi, Q 2 , ■ ■ ■ (with \Qi\ = A/2) 
of the shares to be opened (the token is started in each execution from the same state that it 
was in just before Qq and there is a fixed exponential upper bound on the number of executions 
that can be performed). The procedure is repeated until some Qj is answered correctly. Note 
that the probability that the token answers any of the queries Qq,Qi,. ■ ■ correctly is the same 
since they are chosen from the same distribution and let p denote this probability. If p is not 
negligible, then the expected numbers of iterations needed to find a second query Qj that is 
answered correctly is polynomial. From Qo and Qj the simulator can recover m (the unique 
value that can possibly be accepted with non-negligible probability in the tests performed in 
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the commitment’s opening phase). If m 7 ^ rh, we do not need to worry about the extraction 
since the protocol will be aborted anyway. Therefore the simulator can perform the extraction 
correctly with overwhelming probability. 


Corrupted Receiver: If David is corrupted, the simulator gets to know all David’s challenges 
kn^i as well as which shares of m were opened. Hence after the commitment phase he can still 
choose any m he wants and appropriate shares {mi, ... ,m\) and {vn,ifi-,Vn,i,i) that will be 
accepted by David in the opening phase. | 

B Computationally Secure OTM with a Single Token 

Here we describe the computationally secure OTM protocol with a single token in the case of 
outgoing communication. It uses the commitment protocol as a building block. We describe the 
full protocol for the sake of completeness. 

As in the protocol presented in Section [TH the idea is to use initial interactions (i.e., during 
the delivering phase) between Goliath and David, and also between David and the token in 
order to compute the commitment functionality and use it to establish a common reference 
string between David and the token, which can then be use to run computationally UC-secure 
commitment and OT protocols between the token and David. The token then commits to the 
input values, at which point David considers the deliver complete. Afterwards, whenever David 
wants to obtain his output, he engages in a computationally UC-secure OT protocol with the 
token in order to get the desired output and the commitment verification information. The 
specification of the token can be found in Figure fTTl and of the protocol in Figure [T2J 

Theorem B.l The protocol presented in Figure [TB UC-realizes the functionality 
computational security. 


Proof: The correctness of the protocol is trivial, as well as the simulation for the cases that 
both parties are corrupted or no parties are corrupted. We describe below how the simulation 
proceeds in the other cases. 


Corrupted Sender: If Goliath is corrupted (and thus also the token), the simulator should 
be able to extract both sq and si to give them as input to the OTM functionality. In short, 
the simulator should be able to extract the value m' before sending m" , so that he can choose 
the common reference string crs as he wishes, thus being able to create a trapdoor to extract sq 
and Si from the committed values. The extraction happens in the same way as in the proof in 
Appendix and the expected polynomial time simulator can perform the extraction correctly 
with overwhelming probability. 

If the extraction works properly, the simulator is able to choose the common reference string 
and therefore is able to have a trapdoor that allows him to extract the values sq and si from 
the commitments. To learn about the abort behavior during the choice phase, the simulator 
simulates a choice phase between David and the token with random inputs. Hence he is able to 
forward the correct inputs to the OTM functionality. 
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Token T 

Parametrized by a security parameter A. The token is hardwired with the shares {vn,i,o,Vn,i,i) for 
i = 1,..., 2A, n = 1,..., A, the inputs sq: si, Goliath’s public key pk and an opening key cok G {0,1}^. 
It is initialized with state Tgtate = ready. 

Shares Opening. Upon receiving a message (challenge, ni,..., nx/ 2 ) from V check if Tgtate = ready and 
{ni,..., nx/ 2 } C {1,..., A} are the specifications of the shares V wants to be revealed; else abort. Set 
Tstate ^ message committed. Send the message (shares opening, (u„j,i,o, Vnj,i,i)j=i,...,A/ 2 ,i=i,..., 2 A) to V. 

Message Opening. Upon receiving a message (reveal message, cok) from V check if Tstate = 
message committed and cok = cok; else abort. Set Tstate -G- message opened. Send the message (opening, 

("T^n.z.O; )n— 1 ,..., A,i— 1 ,.. .,2A ) tO T). 

Inputs Commitment. Upon receiving a message (commit, crs,CT) from V check if Tstate = 
message opened and if ct is a valid signature of Q on crs; else abort. Set Tstate ■G- inputs committed. 
Commit to the values sg, si using a computationally UC-secure commitment protocol that uses the com¬ 
mon reference string crs and send the commitments to T. Let do,di denote the information to open the 
commitments. 

Output. Upon receiving the message output from V check if Tstate = inputs committed; else abort. Next, 
set Tstate ^ dead and execute with V a computationally UC-secure oblivious transfer protocol using the 
common reference string crs and with inputs (so||(io) si IMi)- 


Figure 11: The token for the OTM protocol with outgoing communication. 


Corrupted Receiver: If David is corrupted, the simulator gets to know all David’s challenges 
kn^i in the first commitment as well as which shares of m' were opened. Hence, after seeing 
m", he can choose any rh' he wants (and thus any resulting m and crs) and appropriate shares 
{rh'i ,..., rh'^ and {vn,i,o, that are correct from David’s point of view. By picking a common 

reference string together with an appropriate trapdoor, the simulator can learn the choice bit 
c and query it to the functionality jrOTM Using the equivocability of the UC- 

commitment the simulator can find an appropriate opening information dc and feed Sc\\dc to 
David in the OT protocol. | 


17 



Protocol 

Parametrized by a security parameter A. 

Deliver. Q generates a pair of signing sk and public pk keys for a signature scheme and also an opening 
key cok A F 2 . Then he picks a random message m' 4- F 2 and generates the A shares of it , m^) 

using Shamir’s secret sharing scheme. For each share m^, Q picks random vectors Vn,i,o •<— F 2 for 
i = 1 ,... ,2A and sets Vn,i,i = — Vn,i,o- He creates the token T (described in Figure IH]) with the 

hardwired sq; si: pk, cok and vectors {vn,i,o, Vn,i,i) for n = 1,... ,X,i = 1,..., 2A, and sends it to T). 
Upon receiving the token T, 2? queries G with random bits A:„ ^ for n = 1,..., A, i = 1,..., 2A in order 
to get Vn,i,k„^i ■ Then V picks a random subset {ni,..., n\/ 2 } C {1,..., A} and ask the tokens to reveal 
(,Vnj,i,o, for j = 1,..., A/2, i = 1, ..., 2A, which he checks against the information he received from 

G; aborting if they do not match. V picks a random message m" ^ F 2 and sends it to G sends to 
T) the message shares {m'l,... ,Tn'^) and also the commitment opening key cok, which TX forwards to T 
in order to get all the shares {vn,i,o,Vn,i,i)- T> checks if m'^ = Vn,i,o + Vn,i,i for all i and n, aborting the 
protocol if this is not the case. Then he reconstruct m! from the shares; aborting if m! is not uniquely 
determined by the shares. Both G and T) use m = m' + m" to generated a common reference string crs. 
G signs crs with his signing key sk and sends the signature a to T>. V sends crs and cr to T in order to 
receive the commitments to sq and si. 

Choice Phase. When V gets his input c G F 2 , he sends the message output to T and execute with the 
token a computationally UC-secure oblivious transfer protocol using the common reference string crs and 
with input c in order to get the output Sc||do- T’ checks the correctness of Sc using the commitment that 
he received previously and the opening information dc- 


Figure 12: The computationally secure OTM protocol using one token for the case of outgoing 
communication. 


18 



